Use A Data-Driven Security Program to Transform Organization Security

Posted on February 22, 2012 by admin

Data-Driven Security

How to Target, Focus and Prioritize
The Security Program

  by Caroline Ramsey-Hamilton

Management has to have Metrics

Management of a security program is no different than management of cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved. Historically, however, security has been run by a few unique professionals, perhaps with a military or law enforcement background and the security program has existed in a vacuum, with few ways to measure it’s effectiveness and value to the organization, except to list what hasn’t happened!

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization. Many security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs.

Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Very recent improvements in security technology, camera technology and its integration with computer networks and information security has allowed a massive amount of data to be collected.  Everything from digital images, to incident reporting and tracking, and even internet-based reporting of technical vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be improved or implemented, based on their return on investment.

Security has never been more important to the organization. Many court cases recently have been decided on the basis of whether the organization was using ‘due care’ and utilizing every ‘reasonable’ security precaution. Existence of adequate security has become very important in premises liability cases and will likely become equally important in future litigation.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls. Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1. Determining the value of the assets of the organization, including the facilities, the personnel, products, production facilities, raw materials, transportation, vehicles, information technology equipment, data and information. In additional to quantifying present day replacement value, the sensitivity of various information assets and a determination of their criticality to the main mission of the organization must be determined.

2. Analyzing the Threat Level affecting the organization, including analyzing of incident report logs which would indicate how many potential intrusions have been attempted, as well as an analysis of physical intrusion indicators, such as missing badges, any security incidents, and any indications of industrial espionage which have been reported, either at the facility under review, or at any of the organization’s other facilities. Industry data on intrusions in similar companies or analogous agencies is also very helpful in determining threat level.

Many companies now use reports which quantify threat data, including statistics on criminal activity by exact location, by zip code (such as the Uniform Crime Index) as well as many information sources of weather data, such as NOAA (U.S. National Oceanographic and Atmospheric Administration, various international associations and government agencies.

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the receptionist to the CEO.  To ascertain the weaknesses in the way the employees comply with security, there are new electronic survey tools,( like Risk Watch®)  which measures security compliance against published standards such as FEMA 426, (How to Protect Buildings Against Terrorist Attacks). control standards.  New regulations, like Joint Commission, Behavioral Health and Workplace Violence (OSHA 3148) require such compliance-based
baseline assessment surveys.

4. Identifying potential categories of loss, which would include components like direct losses (damage/destruction), injury or death to either staff or patients/customers/vendors; theft of property or product,  theft of data/information,  and loss of an organization’s reputation. These loss categories are used to quantify the effect of threats on the organization because you can estimate the loss impact on various functions of the organization.

5. Safeguards (Controls) include all the possible controls that could protect an organization either by reducing the likely of a threat occurring, or reducing the amount of damage that the organization sustains from a threat that materializes. Controls are quantified by:

a. Life Cycle of the Control – How Long They are Good for.

b. Cost to Implement the Control to 100% in the organization

c. Indication of the percentage that the control is already implemented in the organization

By accumulating data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls.

Advantages of a Data-Driven Security Program

The primary advantage of a data driven security program is that it provides support for the security function within the organization by being able to illustrate directly how security not only protects the organizational assets, but also, how the security profile changes over time.

In addition, it becomes possible to benchmark the various plants and facilities against themselves, and against both domestic and international standards, including military standards for the Defense Industrial Base. For example, if a multinational company with facilities and networks around the world can analyze their security based on the principle of a data-driven security program, then they can instantly identify the areas or facilities that have problems and address them much more quickly and effectively than they could if they were depending on a fuzzy, quantitative assessment method. When an organization makes the decision to adopted a more disciplined approach to analyzing security risk, they must also use all the other typical management functions such as planning, development of a budget and incorporation of the plan into the organization’s overall planning.

After the initial baseline risk assessment, and using the input from the analysis, the organization can began to develop implementation strategies to address the vulnerabilities identified in the assessment. As each vulnerability is addressed, cost-effective mitigation strategies can be put in place.

At the same time,  the security plans and policies can be measured so that policy changes can be made, if necessary, or training and awareness programs can focus in the areas that need reinforcement with the organization.

The Security director, using his already established budget and implementation timelines for each safeguard, can then manage the improvements, using either internal staff or he can make the decision to outsource the additional controls (or their implementation).

These improvements can be tracked themselves, to establish how effective they are in their individual tasks, and also can be periodically re-assessed to see how the organization’s total security profile has improved.

The first benefits from a data driven security program emerge during this implementation phase because not only can you measure how much more effective the new security configurations are, but there is an additional value-added component of
re-acquainting the employees with the security program and increasing awareness across the organization.

To ensure continued value in the program, collection mechanisms such as automated incident response, threat reporting and vulnerability reviews must be automated. There are new security software programs that evaluate and analyze these types of data and can dramatically increase the effectiveness of a data-driven security program.

This type of data-driven security program creates a security program that becomes a baseline for management to quickly assess the security profile of the entire organization.  It makes it easier to provide a safe, and secure workplace for both management and employees, and may decrease the possibility of a workplace violence incident, theft or domestic or international terrorist attack.

This data-based concept of risk management creates a bridge between executive management and the security professionals in the organization who now have an avenue for open communication, discussion and consideration of the role of security throughout the organization.

 

About the Author

Caroline Ramsey-Hamilton is the founder of Risk Watch International, and a leading security risk assessment expert.  She was a Charter member of the National Institute of Standards and Technology’s Risk Management Model Builders Workshop from 1988 to 1995.  From 1996-1998, she served on the working group to create a Defensive Information Warfare Risk Management Model,  (DIWRM2) under the auspices of the Office of the Secretary of Defense.  She was also a member of the National Security Agency’s Risk Rating Workshop and the IBM Data Governance Working Group to create a Data Governance model for the nation’s largest banks.

She has developed specialized risk assessment programs for HIPAA, Information Security, FFIEC, GLBA, Sarbanes Oxley, and corporate security programs including working with The Clearinghouse, large investment banks, the Federal Reserve and a variety of other Federal agencies on Risk Assessment guidelines.   In addition, she is a member of the ASIS Physical Security Council, SARMA( the Security Risk Management Association) based inWashington, D.C.  Ms. Ramsey-Hamilton is certified in Homeland Security and Anti-Terrorism and recently received a lifetime achievement award from the Anti-Terrorism Accreditation Board and the Maritime Security Council.

Hamilton works around the world on critical risk issues including a new set of risk assessment guidelines for the Nuclear Regulatory Commission, a risk model for airport security and a risk model for medication error with Philadelphia Children’s Hospital.

She has completed Risk Assessments for over twenty-five U.S. government agencies including the Department of Defense, the Technical Support Working Group, and the Nuclear Regulatory Commission, and many healthcare organizations including Cleveland Clinic, HCA, Sheikh Khalifa Medical City, the University of Miami Medical Center and many more.  She has written several books and articles over twenty-five different publications.

www.caroline-hamilton.com

caroline.r.hamilton@gmail.com

 

 

TWEET: http://twitter.com/riskalert

Posted in accountability, Compliance, Convergence, Corporate Security, Data-Driven Security, Risk, risk assessment, Risk Assessment & Compliance, RiskAlert, Workplace Violence Prevention | Tagged , , , , , | Leave a comment

Data-Driven Security – Using Metrics to Focus & Target Security Programs

Posted on February 9, 2012 by admin

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.

 

 

 

Posted in accountability, Corporate Security, Data-Driven Security, Facilities Security, Hospital Security, Managing the Risk Assessment, Regulatory Compliance, return on investment, Risk, risk assessment, Security Governance, Security Model, Threat Assessment, Workplace Violence, Workplace Violence Prevention | Tagged , , , , , , , | Leave a comment

Another Look at OSHA & Workplace Violence

Posted on February 1, 2012 by admin

I just finished reading a new book called HALT THE VIOLENCE, written and edited by Patricia Biles and her Alliance Against Workplace Violence group.  Here are some of my thoughts on it, if your organization has been evaluating workplace violence issues:

Here’s my review and why I think you should get it (Amazon) and take a look – it’s a short read — less than 150 pages.

I like the insider perspective on how to prevent violence in the workplace. Patricia Biles was a former OSHA (U.S Occupational Safety and Health Administration) employee and their guru on violence issues.  Her work with industry groups and individuals has given her rare insight on the subject of stopping the epidemic of violence, and she gives practical solutions that employers and individuals can use to halt the violence.

The book covers the escalation of violence in the workplace and how OSHA reacted to the problem, which came to the forefront in 1989.  She identifies the groups most affected by violent events at work, including nurses, healthcare workers, taxi drivers, convenience stores, and late night retail establishments in particular.

As well as covering a complete history of the issue, she also weaves together input from other experts who specialize in aspects of the overall workplace violence problem, including the problem of violence in hospitals,  the increased incidents of bullying in the workplace, the importance of early intervention and practical strategies for diffusing angy, aggressive individuals.

The important of risk management procedures, such as performing regular threat assessments is identified as one of the few ways to identify individuals who may pose a threat, although the authors point out that both the Virginia Tech shooter and Jared Loughner, the diagnosed schizophrenic who shot Gabby Giffords, her staff, and innocent bystanders in Tucson, were both examined, and had psychological profiles which stated they were ‘unlikely’ to be a threat to others.

Specific violence-prone workplaces are also identified and specific recommendations given for hospitals, home health and social workers, and educational institutions such as schools, colleges and universities.

In some ways, this is an insider’s book because it gives you the behind-the-headlines details, not only of major workplace violence incidents, but also a look at what it takes to create new laws and encourage congress and federal agencies to recognize the problem and take concrete steps to ‘halt the violence’!

All in all, this is a very insightful and practical look at a problem that affects every workplace and every person who goes to work and counts on returning home in the same condition.  Employers will want to implement the suggestions in the book on how to reduce violence in individual organizations, and it also offers a valuable perspective on how to comply with new OSHA standards and they continue to evolve their approach to this critical issue.

 

Posted in accountability, Facilities Security, Gun Violence, Hospital Emergency Departments, Patrica Biles, Violence Against Nurses, Violence in Healthcare, Workplace Violence, Workplace Violence Prevention | Tagged , , , , , , , , , | Leave a comment

Threat Modeling is the Exciting, Sexy Part of Risk Assessment

Posted on January 26, 2012 by admin

As a risk assessment professional, when I get into a risk discussion, most security people want to talk about THREAT!  Threat is the most sexy and exciting part of doing a risk assessment.

Threats are exciting all by themselves.  Think about all the threats you can name:

All the natural disasters like Earthquakes, Tornadoes, Storms, Hurricanes, Tsunamis, Lightning, Floods

Crimes like Homicide, Assault, Rape, Burglary, Theft, Kidnapping, Blackmail, Extortion

Terrorism like Sabotage, Explosions, Mail Bombs, Suicide Bombs

All the IT Threats like Malicous Code, Disclosure, Data Breaches, Theft of Data

And about 50 more including Chem/Bio incidents, Magnetic waves, High Energy Bursts, Microbursts, Contamination and Reputation Damage.

Each of these threats could theoretically occur at any time, but we try to establish a pattern of how often they have occurred in the past, in this location, in this county, in this country, in the company, etc.   So NASA, for example, gets thousands of hacker attacks, but another company, like the local Salvation Army, gets 1 every 10 years.

Same model for natural disasters, although you might have to factor in climate change, it’s easy to get the threat incidents for hurricanes in Florida, snow storms in Cleveland, earthquakes in northern California, etc.

We also like to examine industry specific data to see if some threats are higher in a certain industry, like the high incidence of workplace violence incidents in hospitals and high risk retail establishments (like Wawa or 7-11).

Another factor we use in calculating threat likelihood is how the threat could actually affect different types of assets…. for example, would an earthquake damage a car?  Probably not. Would it cause damage to an old historical building – probably (unless it had been retrofitted).  Could it cause loss of life, or injuries (think Haiti).

So I use a multidimensional model that takes the threats list (I have a standard list of 75 threats that I use), and map it to each potential loss, based on the ‘asset’ that might be affected.

The more data you get, the better your model will be, and the more value it will have as a decision support tool!

 

Posted in Building codes, Corporate Security, disaster recovery planning, Earthquakes, Emergency Preparedness, Facilities Security, Gulf Oil Spill, Haiti Earthquake, Natural Disasters, Nuclear energy, Risk Assumptions, RiskAlert, Threat Assessment, Threat Sources, Workplace Violence | Tagged , , , , , | Leave a comment

Why Violence in Hospitals is Increasing

Posted on January 9, 2012 by admin

Why Violence in Hospitals is Increasing

Violence is not a concept that people usually associate with hospitals.  For years, hospitals have been seen as almost a sanctuary of care for the sick and wounded in our society.   However, the perception of hospitals has been changing over the last fifteen years due to a variety of factors. 

  1. Doctors are no longer thought of as “Gods”.  This means they are
          are more easily blamed when a patient’s condition deteriorates.
     
  2. Hospitals are now regarded as businesses.  This perception has been
           been aggravated by television in shows like a recent “60 Minutes”, as well as
           by the effects of the recession on jobs and the loss of health insurance.
  3. Lack of respect and resources (funding) for hospital security departments
              Rather than being seen as a crucial protection for the hospital staff and
          patients, many security departments are chronically underfunded and used
          for a variety of non- security functions, such as making bank deposits for
          the hospital gift shop. 
  4. ASIS Security Association issued it’s industry guidelines for Workplace
         Violence     Prevention in September 2011, in conjunction with the SHRM – the
         Society for Human Resources Management to address this issue.

    The federal government   issued a guidance document for dealing with violence issues in healthcare,   OSHA 3148.01R, 2004, Guidelines for Preventing Workplace Violence for Health Care & Social Service Workers.

To Learn more:  join my webinar on Thursday, January 12th at 12 noon Eastern time by
       Clicking on this link:  https://www2.gotomeeting.com/register/835835290.

Posted in accountability, Hospital Emergency Departments, Hospital Security, Risk Assessment & Compliance, RiskAlert, Security Directors, Violence Against Nurses, Violence in Healthcare, Workplace Violence, Workplace Violence Prevention | Tagged , , , , , , , , | Leave a comment

No Way to Win an Election – A Risk Assessment

Posted on January 2, 2012 by admin

Watching the pandemonium that is the build up to the Iowa Caucus, you can follow the thread that pandering and trying to appeal to the lowest common denominator brings to the Iowa Caucus candidates.

They have taken what could have been an asset, and transformed it into the threat that each of the candidates seems to be fixated on –  that they will not be considered ‘enough of a social conservative’ and so will not win the caucus. 

So, by having a field of five (Paul, Newt, Santorum, Perry and Bachman) competing to be the most dogmatic, the most restrictive, the most anti-abortion, the most anti-immigrant, the most family-oriented, etc., they have actually pared down their own chances of winning.

Romney is running in the slightly more moderate vertical, which no one wants to compete in because it’s not such a knee-jerk distinction, which is why I left him out of this analysis.

In risk assessment terns, this means they have focused on addressing the wrong potential threat (not being conversative enough), and failed to address the real threat (losing the election or coming in dead last).

For the field of five, it turns out that by directly competing against each other, they energize their narrow social conservative vertical and that keeps all five of them alive, and the eventual  outcome is the splintering of that narrow field, which effectively prevents any one of them from anything close to a clear win.

It may be a great way to promote yourself for a later VP slot, or, who knows, maybe a future ambassadorship, but it’s NO WAY TO WIN AN ELECTION!

 

Posted in Political Risk Assessment, Risk, risk assessment, Risk Assumptions, RiskAlert | Tagged , , , , , , , | Leave a comment

Outlook on Risk & Security Compliance in 2012 – What to Expect.

Posted on January 1, 2012 by admin

This New Year’s Eve, I thought at times my neighbors were using a rocket launcher and several assault rifles to shoot up the New Year.  Lucky for me,  I spent the awake time to contemplate the outlook for risk, threat and security issues for 2012 and here’s what I see for 2012.

1.  Government-Mandated Compliance Is Here to Stay for the Healthcare Industry.

I remember when the IT departments are many hospitals thought George W. was going to revoke the HIPAA Security Rule.  It never happened, and this year, for the first time, there is a regulatory body in place that is intent on REAL ENFORCEMENT.

The Dept. of Health & Human Services, Office of Civil Rights,  has expanded HIPAA Security and Privacy Rules to include “Business Associates” including lawyers working in healthcare, and the infamous “3rd Party Providers” who do everything from warehouse data to taking over the IT function of a hospital, and this trend will continue as pressure builds from consumers who’s medical and financial data continues to be compromised.

2.  Workplace Violence Prevention will become an OSHA mandate, if not in 2012, at least by 2015.  Based on the slug-like pace of OSHA, who only recently provided directives for high risk industries, and the pressure from the more than 30 states who have passed their own regulations,  the pressure to stop the number of incidents and to lower their intensities will increase and management will be forced to address it as a major corporate issue.

3.  Pressure on the financial industry to protect consumer information will increase.  Like many other areas, pressure is increasing to prevent the enormous data breaches we saw in 2011, like Tricare, the recent Stratfor hack by Anonymous, Wikileaks and HealthNet breaches.  Consumers are the squeaky wheel and they want the convenience of plastic and internet use, and they will not tolerate breaches, and they are all registered voters!

The FFIEC has already tightened up on both risk assessment standards, as well as
authentication guidelines for all financial institutions.

 

There will be a increase in requirements for risk assessment as an accountability feature to force managers to maintain better security in all areas of their organizations. 

Accountability means that individual managers will be held responsible for the decisions they make regarding other people’s:

1.  Financial Data

2.  Medical Records

3.  Safety from both Violence & Bullying in their workplaces.

Budgets can be cut, and staff can be reduced but consumers are demanding protection of their information, and themselves, and the regulators will make sure they get it in 2012!

Posted in accountability, Compliance, Corporate Security, Gun Violence, HIPAA, HIPAA Risk Analysis, Hospital Security, Identity Theft, Medical Records, OSHA, OSHA CPL 02-01-052, Risk, risk assessment, Risk Assessment & Compliance, Uncategorized, Workplace Violence, Workplace Violence Prevention | Tagged , , , , , , , , | Leave a comment

What’s the Risk of Backing Newt Gingrich?

Posted on December 15, 2011 by admin

Hundreds of the shakers and movers in the Republican party AND the Democratic party are doing their risk assessments this week on who to openly support, and doing the risk calculation on whether it is better to wait and see what emerges, or make their comments/endorsements now and worry about the fall out later!

Here is the kind of risk model for politics that people use, often unconsciously- to make those decisions. Political risk is especially tricky because there are 2 stakeholders to consider:

1. what’s good for ME personally
2. what’s good for THE PARTY, DISTRICT, or COUNTRY.

Here’s a list of threats that politicians worry about in a situation like this:

1. Lose my current position
2. Lose my Power in the Party/Coalition/Media
3. Lose campaign contributions
4. Lose voters
5. Lose tea party support
6. Lose respect from peers
7. Lose future election
8. Lose income
9. Look wrong in the media
10. Create bad sound byte
11. Face Reprisals Later from Establishment
12. Lose Media Support (however it exists).

More tomorrow on how to value the assets of an ongoing campaign.

Posted in accountability, Managing the Risk Assessment, Political Risk Assessment, Risk, Risk Assumptions, Threat Assessment, Threat Sources, Uncategorized | Tagged , , , , , | Leave a comment

Crime and Punishment II – Sentencing of Rod Blagojevich

Posted on December 7, 2011 by admin

Today marks a historic day in the State of Illinois.  While the previous governor is still in prison on corruption charges, out-going, loud-mouth Rod Blagojevich is in court to receive his sentence on federal corruption charges.

This is a great moment for the judge and the judicial system to hand out a sentance that will help PERMANENTLY end the endemic corruption in the Illinois executive branch.

Americans always point out corruption issues in other countries — but this is the MidWest — the Heartland of America.  In fact, I know people who ONLY hire people from the midwest because they think they are more honest and more hardworking.

So I hope that this verdict will uphold justice because I firmly believe that a country is only as good as it’s justice system.  It defines everything else that happens (read my previous post on the SEC failures to enforce).

Every judicial decision, even a non-decision, sends out a strong message to the next potential corrupt politican that the State of Illinois, and the US as a whole, cannot allow corruption in our elected officials!

 

Posted in accountability, corruption, Federal Court, Justice, Justice Department, Regulatory Compliance, Risk Assessment & Compliance, Risk Assumptions | Tagged , , , , , | Leave a comment

HAS 60 MINUTES EXPOSED THE SEC SECRET – No Penalties for Big Banks?

Posted on December 5, 2011 by admin

On Sunday evening, December 5th,  60 MINUTES aired what I think is a ground-breaking bit of investigative reporting on how the SEC allowed big banks and mortgage companies to violate Sarbanes Oxley (SOX) requirements with total impunity.

Since the American public is still suffering from the mortgage meltdown – they are looking for answers and looking for punishment.  Crime and punishment usually go together in the Justice Department and law enforcement communities.

“You do the Crime – You do the Time”.

So one person is arrested for a victimless crime, like shoplifting a candy bar, but a big company, like Countrywide, or Bank of America, can crash a worldwide economy, lie on federal forms, commit perjury and saw intense financial destruction to millions of people, and they are allowed to keep the fortunes they made through this risky behavior, and, even better, there’s no jail time, no fines commensurate with crime, and no penalty for openly flaunting federal laws!!

WOW – what kind of message does this send?

For me, concerned day after day with helping organizations comply with federal mandates and laws, like SOX, and HIPAA, and OSHA, this makes a parody of compliance enforcement.

Companies spend millions of dollars to comply with these regulations, which are passed to protect the American public from exactly what just happened.  To find that the regulators are the ones who ignored the falsified attestations, forgave the lack of compliance and let these 21st century robber barons keep their ill-gotten gains makes me, and about 200 million other people, sick!

 

Posted in accountability, Compliance, Corporate Security, HIPAA, Risk Assessment & Compliance, Risk Assumptions, Uncategorized | Tagged , , , , , , , , | Leave a comment